Clarification on DestinationRule docs to ExportTo behavior

[drequena]

Hello everybody!

IMHO the Doc from DestinationRule isn't clear about the behavior of the ExportTo field. 1

Looking at other sources and by doing tests, the DestinationRule behavior changed since this PR:

• A DestinationRule from any namespace can alter the traffic behavior of all other client namespaces for traffic going to either a specific target service, a target namespace, or the entire cluster as a target istio#12144
• Fix destination rule selection issues istio#12234

From the Doc:

ExportTo - string[] -

"
A list of namespaces to which this destination rule is exported. The resolution of a destination rule to apply to a service occurs in the context of a hierarchy of namespaces. Exporting a destination rule allows it to be included in the resolution hierarchy for services in other namespaces. This feature provides a mechanism for service owners and mesh administrators to control the visibility of destination rules across namespace boundaries.

If no namespaces are specified then the destination rule is exported to all namespaces by default.

The value “.” is reserved and defines an export to the same namespace that the destination rule is declared in. Similarly, the value “*” is reserved and defines an export to all namespaces.
"

Since the behavior of DestinationRule changed, is this statement still true? "If no namespaces are specified then the destination rule is exported to all namespaces by default."

I'm trying to create a DestinationRule that need to be applied to the whole cluster, however, due to administrative constraints, I can't create it in istio-system namespace. For me, the statements in the Doc make it looks like the ExportTo '*' should makes the DestinationRule applied to all my clusters, but it isn't.

Can someone clarify if the ONLY way to make a DestinatioRule applied to all cluster is by creating it in istio-system namespace? If not, I think this should be covered in the Docs.

Thanks.

[jhonatanmorais]

Regarding the DestinationRule and its visibility:

I was reading this function setDestinationRules, and decided to take a look at its tests, to try to understand a bit better what is expected given each set of inputs.

In this scenario TestSetDestinationRuleWithExportTo, from what I understood, it tests the visibility of the DestinationRule, through the use of subsets.

Considering the default visibility, which is Public (exportTo: ["*"]), when looking at the test cases, it is only actually applied if:

1. proxyNamespace is equal to destinationRuleNamespace, regardless of serviceNamespace
2. proxyNamespace is anything, but the destinationRuleNamespace is equal to serviceNamespace*
3. proxyNamespace is anything, but the destinationRuleNamespace is equal to rootNamespace (currently, istio-system)

*: where the object that defines the host is, as I understand it, be it ServiceEntry, Service, etc.

In other words, the DestinationRule is not applied to the proxy outside of this covered scope.
The exportTo, in this scenario, only serves to reduce the scope of visibility, when these criteria above are met, especially when a DestinationRule is created in the rootNamespace, which would result in propagation to all proxies.

From everything I've read, this is what I've understood. I don't know if it is complete and accurate enough, but I expect that helps to understand the situation.